You've been iFramed —

New Linux rootkit injects malicious HTML into Web servers

Most likely the work of a less-skilled Russian hacker.

A newly discovered form of malware that targets Linux servers acting as Web servers allows an attacker to directly inject code into any page on infected servers—including error pages. The rootkit, which was first publicly discussed on the Full Disclosure security e-mail list on November 13, appears to be crafted for servers running the 64-bit version of Debian Squeeze and NGINX.

An analysis of the rootkit by Kaspersky Labs found that the malware inserts HTML iframe elements into every page served up to Web browsers connecting to the server. It does this by replacing the code that builds TCP/IP packets (tcp_sendmsg) with its own code. The malware then retrieves the code to be inserted into the iframe by connecting, botnet-like, to a command and control network with an encrypted password.

The rootkit, designated as Rootkit.Linux.Snakso.a by Kaspersky, is a new approach to drive-by downloads. They usually are based on PHP script—not code injected into the kernel of the operating system. Because the new rootkit infects the entire server and not just a specific page, the malware could affect dozens or even hundreds of websites at a time if it infects the server of a Web hosting provider.

According to Georg Wicherski, senior security researcher at Crowdstrike, the rootkit is most likely the work of a Russian hacker—and not necessarily a very skilled one. "It seems that this is contract work of an intermediate programmer with no extensive kernel experience," Wicherski said in a blog post. But he said that the approach used "seems to be the next step in iframe-injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail."

This is a redundant comment but probably worth repeating. Anyone capable of writing an injection rootkit is capable of making quite a bit of money doing honest work.

Is there a study on what drives these people? Is it their urge to prove they are incredibly smart? Is it the adrenaline-seeking behavior that leads some folks to venture into insect infested jungles? Raw greed?

Interesting analysis of the rootkit itself, but how did the guy who found it running on his web server actually get infected?

Seems we don't know yet. From blog linked in article:

crowdstrike blog wrote:

It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely.

This is a redundant comment but probably worth repeating. Anyone capable of writing an injection rootkit is capable of making quite a bit of money doing honest work.

Is there a study on what drives these people? Is it their urge to prove they are incredibly smart? Is it the adrenaline-seeking behavior that leads some folks to venture into insect infested jungles? Raw greed?

Isn't one explanation (at least for some countries) that they are coerced by the mafia? Just what i've heard.

I also wonder sometimes how easy it really is to find high-paying work if you are a highly-skilled person in certain impoverished parts of the world. (again, no real knowledge of the reality of that.)

Just to verify, this isn't actually an exploit but just another type of injection method once you have access to the server? I was pooping my pants at first when I thought it was a full exploit against nginx to insert custom code.

Just to verify, this isn't actually an exploit but just another type of injection method once you have access to the server? I was pooping my pants at first when I thought it was a full exploit against nginx to insert custom code.

Aye, this rootkit only works if the attacker ALREADY has root access to your box. The code mentioned here does not actually contain a single exploit in the kernel, GNU userland or NGINX. From the looks of it it was actually installed by hand on the system by someone who either has physical access to it, or gained root access via some other vulnerability -- think of e.g. a poorly designed website with SQL-injection, or a fault in PHP-scripts, or similar as the original attack point.

I'm confused. It's being called a "Linux rootkit" but the only thing mentioned in the article is how it applies to HTML and nginx. How is this a Linux rootkit?

Well, most people seem to believe that anything that runs as root and does bad things equals a rootkit. I disagree with that definition, but alas, I'm not the majority.

In fairness, "root kit" sounds like "here's some kit you run once you're root."

Software that hides itself could be hiding a whole array of functionality, or it might have a very small payload. You might want a complete client for a C&C, or you might want something that is absolutely minimal and does nothing more than quietly copies packets to a second interface.

This seems like a case where just because some folks named "root kit" first it probably should change, and we need a new term for kernel-space cloaking.

This is a redundant comment but probably worth repeating. Anyone capable of writing an injection rootkit is capable of making quite a bit of money doing honest work.

Is there a study on what drives these people? Is it their urge to prove they are incredibly smart? Is it the adrenaline-seeking behavior that leads some folks to venture into insect infested jungles? Raw greed?

It simply may be a difficulty to motivate themselves to do anything usefull.Then they despair and do the first thing they can think of to make money.

I really want to know how this stuff got installed on the box to begin with. I'm now worried about my own servers. Also, the article said, "appears to be crafted for servers running the 64-bit version of Debian Squeeze and NGINX": are we sure that it only targets Debian Squeeze 64-bit? Depending upon the initial attack vector, this could have some serious consequences.

This is a redundant comment but probably worth repeating. Anyone capable of writing an injection rootkit is capable of making quite a bit of money doing honest work.

Is there a study on what drives these people? Is it their urge to prove they are incredibly smart? Is it the adrenaline-seeking behavior that leads some folks to venture into insect infested jungles? Raw greed?

It simply may be a difficulty to motivate themselves to do anything usefull.Then they despair and do the first thing they can think of to make money.

My first thought (as a developer) was, "What a cool idea! That would've been heaps of fun to write."

Anyone capable of writing an injection rootkit is capable of making quite a bit of money doing honest work.

They can make "quite a bit of money" doing this. Take a look at the past articles at Krebs On Security, he lays out exact dollar figures. Look at his post about how upset the pharm spammers were about some credit card/banking changes - he found hundreds of pages of bitching and complaints on a Russian hacker forum - strong evidence the hackers lost out on real money and profits. You can also find estimated profits discussed in some of the AV blogs, notably Kaspersky and Symantec.

Quote:

Is there a study on what drives these people? Is it their urge to prove they are incredibly smart? Is it the adrenaline-seeking behavior that leads some folks to venture into insect infested jungles? Raw greed?

Money. It's profit motive. You're still thinking about this like Hollywood shows it, and like Anonymous tries to pull off, but that ended years ago among the real hackers.

Like others here, I'm curious as to how this malware was actually able to do anything worthwhile. It works by being loaded as a kernel module, like any other root kit; well that's fine and dandy, but there's still no explanation as to how exactly it could have been inserted as a module when all the relevant file locations and commands require root access to run.

Once that's known, we'll be in business in terms of ensuring this doesn't happen again; else, this is indistinguishable from the scores of other "Linux malware" specimens that are only proof-of-concepts because they have to be intentionally loaded

So for once web admins are breathing a sigh of relief if they are managing windows servers?

No you should still be running scared as usual.

Linux administrators should go about their business since:

1. This seems to be an isolated incident.2. There's no disclosed information on how the "root kit" ended up on the server in question. The only information presented so far is what the payload does after the box is rooted. For all anyone knows some idiot down in the IT department giving out his password to random people on the street.

This is a redundant comment but probably worth repeating. Anyone capable of writing an injection rootkit is capable of making quite a bit of money doing honest work.

Is there a study on what drives these people? Is it their urge to prove they are incredibly smart? Is it the adrenaline-seeking behavior that leads some folks to venture into insect infested jungles? Raw greed?

Isn't one explanation (at least for some countries) that they are coerced by the mafia? Just what i've heard.

I also wonder sometimes how easy it really is to find high-paying work if you are a highly-skilled person in certain impoverished parts of the world. (again, no real knowledge of the reality of that.)

How do we know that the person doesn't already have a high-paying coding job, and that this is done on the side in their spare time for some extra cash? They very well could be an office drone and enjoy this type of hacking as a hobby.

I'm impressed that he's actually gone so far and replaced the whole tcp_sendmsg implementation. Perfect hiding place, seriously I'd never think of searching for it there and doubt quite a few other people would.

Any linux geeks know if this could be modified for other network related stuff? I assume so as its just TCP? Could probably drop another stuxnet style 'falsified readings' on a Linux SCADA implementation. That's pretty scary.

Wait, a "Linux" root kit that runs only on a couple of distros I've never heard of? What are Debian Squeeze and NGwhatever? What percent of web sites use these distros? This seems to be blown totally out of proportion if it doesn't target Red Hat, Ubuntu, SUSE, and other distros people actually use. Is this article more fuel for the Linux is just as insecure as Windows meme?

Wait, a "Linux" root kit that runs only on a couple of distros I've never heard of? What are Debian Squeeze and NGwhatever?

You've got to be kidding me. Have you ever searched on Wikipedia before? Here is some reading for you :

Nginx:`"Nginx (pronounced “Engine-X”) is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. It is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX, HP-UX and Microsoft Windows."

Debian : "Debian (play /ˈdɛbiən/) is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential Linux distribution. It is distributed with access to repositories containing thousands of software packages ready for installation and use.""Debian 6.0 (squeeze) was released February 6, 2011 after 24 months of development. For the first time, Debian GNU/kFreeBSD was introduced with this version as a technology preview."

Wait, a "Linux" root kit that runs only on a couple of distros I've never heard of? What are Debian Squeeze and NGwhatever? What percent of web sites use these distros? This seems to be blown totally out of proportion if it doesn't target Red Hat, Ubuntu, SUSE, and other distros people actually use. Is this article more fuel for the Linux is just as insecure as Windows meme?

Ubuntu is built on debian and is one of the oldest and most stable distros. It's surprising that you've never heard of Debian, it's very popular because of it's stability.

But I agree with you, there is something fishy about this rootkit that only attack one distro. I for one would like to know how it got installed.

There's no discussion of how it got installed because it's largely irrelevant. It could have been delivered by any of hundreds of vectors supported by Blackhole or any other exploit kit.

Which is my point exactly. If this is only describing the payload, then the whole article is irrelevent unless we know what delivered the payload. If the payload is all that matters, then there's nothing stopping me from writing up a kernel module that deletes all your partitions or replaces all the entries in your grub.cfg with a giant ASCII trollface.

Hence, this whole article is worthless. I want information on the vector, not the mostly-irrelevant payload.

There's no discussion of how it got installed because it's largely irrelevant. It could have been delivered by any of hundreds of vectors supported by Blackhole or any other exploit kit.

Which is my point exactly. If this is only describing the payload, then the whole article is irrelevent unless we know what delivered the payload. If the payload is all that matters, then there's nothing stopping me from writing up a kernel module that deletes all your partitions or replaces all the entries in your grub.cfg with a giant ASCII trollface.

Hence, this whole article is worthless. I want information on the vector, not the mostly-irrelevant payload.

I think there's value in hearing about new payloads. It doesn't help you harden your defenses, but it provides insight on how malware behaves, including (possibly) how it can be detected and how it spreads.

Writing off exploit payloads as worthless seems premature. It might be worthless for some applications, but I'd think there would be security researchers out there who'd be very interested in WHAT the Bad Guys (TM) are doing with their b0xen after they've gotten their foothold.

I think there's value in hearing about new payloads. It doesn't help you harden your defenses, but it provides insight on how malware behaves, including (possibly) how it can be detected and how it spreads.

Writing off exploit payloads as worthless seems premature. It might be worthless for some applications, but I'd think there would be security researchers out there who'd be very interested in WHAT the Bad Guys (TM) are doing with their b0xen after they've gotten their foothold.

True, there's some value for the white-hat crackers that are researching that kind of thing. However, since a rootkit (which is, at the most basic level, just a kernel module that happens to be malicious) can do pretty much anything it wants to once it's actually loaded as kernel-level code, it's a rather silly discussion without information regarding the vector used. The most the payload can do is address that specific instance of malware - the motives, the whodunit, etc. I.e. it explains the "why" without the "how", and the "how" is what's actually important when preventing future attacks.

See my prior posts; what matters to sysadmins and tech support personnel is not what the malware does, but how to prevent it - an aspect which the payload alone cannot easily provide much insight on.

I'm sure it wouldn't be hard to design one for apache since this is done after the user already has root access anyways...

FYI, if they've replaced tcp_sendmsg with something that imitates it and injects malicious code into outbound HTTP responses, then everything on the machine that uses tcp_sendmsg will be effected. That includes Apache, nodejs, everything.

To all those wondering about the attack vector - makes me rethink using an AWS EC2 Community AMI ;-)

I would imagine that the root account is disabled, at least in the Ubuntu appliances (Ubuntu is actually smart there; since every cracker and his mother knows that there's an account called 'root' that can give him full access to a Linux box, disabling direct root logon entirely - like how Ubuntu's set up by default - requires the cracker to both crack passwords and figure out which user(s) is/are sudo-capable). Then again, I'm not exactly sure if Amazon or the AMI vendors leave backdoor sudo-capable accounts for support and/or monitoring, so if they do - and a cracker knows of such a username - then it introduces quite the vulnerability.